This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Admins Aren't Patching Open Source, Says Black Duck Security Report

Earlier this month, Black Duck Software released it's annual Open Source Security and Risk Analysis, the first time the report has been issued since the company was acquired by the integrated systems design company, Synopsys, in December. As expected from Black Duck, the company has again found open source to be rife with security vulnerabilities and compliance issues.

The truth is probably not as bleak as the picture the report paints. Black Duck makes its living by auditing code being used by enterprise customers, and has a reputation for being a little alarmist when it comes to the security of open source software. That's understandable; being a little on the alarmist side is most likely a useful sales tool.

Also, the company's roots go back to the days when Microsoft's favorite hobby was sowing FUD -- for "fear, uncertainty and doubt" -- around "cancerous" Linux and other open source software, and evidently that aspect of the company's culture still survives. Before starting Black Duck in 2002, founder Doug Levin spent nearly eight years in Redmond's marketing division during the Gates administration.

That being said, it's obvious that the security practices at many IT departments could use some improvement.

According to the Black Duck security study, open source components were found in 96 percent of the applications the company scanned last year, with an average of 257 instances of open source code in each application. The percentage of the codebase that was open source rose to an average of 57 percent from 36 percent the previous year.

"Many applications now contain more open source than proprietary code," Black Duck points out in the report.

Within open source code the report finds security issues abound, with 78 percent of the codebases examined containing at least one vulnerability, and an average of 64 known exploits per codebase. In 2017, a year when over 4,800 new open source vulnerabilities were reported, the number of security holes per codebase grew by 134 percent.

Does this mean the open source apps you're running on your servers are filled with vulnerabilities? Probably not, if you're doing due diligence to keep your system patched. Although the report doesn't break it down by percentages, the authors note that due to the nature of open source and modern development practices, you're likely to find open source code in places other than apps that carry the open source label.

"Open source can enter codebases through a variety of ways," they write, "not only through third-party vendors and external development teams but also through in-house developers. If an organization is not aware of all the open source it has in use, it can’t defend against common attacks targeting known vulnerabilities in those components, and it exposes itself to license compliance risk."

While it's a common practice for developers to incorporate open source code into applications being developed to be used in-house, in many instances it's use will not be documented in a way so that it can be red flagged if a security vulnerability is is made public and a patch offered. For example, Bootstrap, an open source toolkit for developing with HTML, CSS, and JavaScript, was found in 40 percent of the applications scanned, followed by jQuery, at 36 percent.

"Notable among the components common across industries was Lodash, a JavaScript library that provides utility functions for programming tasks," the report stated. "Lodash appeared as the most common open source component used in applications employed by such industries as healthcare, IoT, internet, marketing, ecommerce, and telecommunications."

What's worrisome is that most of the vulnerabilities Black Duck found have patches available. The open source developer community is good at patching vulnerabilities, usually within days of their being made public, if not before. However, the average vulnerability being found by the Black Duck security scans was six-years-old, with four percent of the codebases audited still containing Heartbleed, four years after the exploit made front page news.

In the Internet of Things, where 77 percent of the code is open source, things are much worse, with a whopping average of 677 vulnerabilities per application.

For this report, Black Duck used data harvested from over 1,100 commercial codebases audited in 2017, which was then analyzed by its parent company's Synopsys Center for Open Source Research and Innovation. Industries represented in the report include automotive, big data, cybersecurity, enterprise software, financial services, healthcare, IoT, manufacturing, and mobile apps.

In addition to the deep delve into security, the report also looked at open source licensing issues, finding that 85 percent of the software examined contained either licensing conflicts or software with unknown licenses.